Dailydave mailing list archives
Re: Stealth.
From: "Andrew R. Reiter" <arr () watson org>
Date: Mon, 19 Sep 2005 21:17:12 -0400 (EDT)
On Mon, 19 Sep 2005, Dave Aitel wrote: : :Here's another shellcode paper for people who like that sort of thing: :http://www.ngssoftware.com/papers/WritingSmallShellcode.pdf : :It's good, although it will fail on certain 2k/XP configurations with a . in :the pathname. To correct it, might need some more bytes to do a getsystemdir :and strcpy, etc. I have some really non-optimized code in Shellcoder's that :does that. I would also have added a 7. Consider using a special purpose :assembler that brute forces the smallest way to assemble it. : :If everyone knows what you look like, your only option for stealth is to try to :make everyone look like you. : :-dave This is a good one, especially since schemes like this have been seen in the wild (MS05-038 com obj overflow's). I think the commonly seen code utlizing that scheme have been doing this (post decode): - Load urlmon.dll - Locate URLDownloadToFileA - ... download ... - WinExec() But who knows :) So many things to do :) ------------------------------------------------------------- "Natural bridges on a clean west swell, Break over the reef like a bat of out hell." -- Sublime.
Current thread:
- Stealth. Dave Aitel (Sep 19)
- Re: Stealth. Andrew R. Reiter (Sep 19)